5: Given an infected host system with Covert_TCP successfully installed/configured, will the beacon back to the malicious C2 server be successful in traversing the depicted network to its intended destination?

Click on the image to zoom in.

A. No, all WAN optimizers have next-generation firewalls onboard and it would filter this malicious traffic.B. Yes, the infected host’s Covert_TCP packet will reach its destination since WAN optimizers simply allow traffic to pass through them, inspecting the traffic flow to make better informed decisions about future bandwidth allocation and planning.C. Yes, the infected host will be able to communicate with the C2 server since Covert_TCP uses TCP header fields that are left unaltered, as packets traverse the network.D. No, WAN optimizers that use TCP acceleration will create a new TCP session on behalf of the client/server and during the creation of this new session the covert channel information would be dropped.

The correct answer was…

D. No, WAN optimizers that use TCP acceleration will create a new TCP session on behalf of the client/server and during the creation of this new session the covert channel information would be dropped.

The contest is closed, so we won’t be taking into account any more answers.

A host has been compromised on the distant end of a satellite communication link. The host has malware that has been successfully uploaded and is attempting to run the Covert_TCP tool (i.e., covert channels within TCP headers). This tool is being utilized to beacon back to a malicious command & control (C2) server and receive follow-on instructions. The satellite communication path utilizes WAN optimization devices to provide better user experience and utilization of the bandwidth. The system administrator has enabled protocol spoofing, latency optimization, and TCP acceleration on the WAN optimization devices.

Who asked the question:

Brad Palm

Highly skilled at analyzing and navigating the IT risks that are inherent when adopting technologies, Brad is motivated to work with dynamic, fast-paced, high-performing teams. Brad is operating BruteForce, a digital security and network analysis consulting firm.